GCP has a managed service“Google-managed certificates”. Google-managed SSL certificates are Domain Validation (DV) certificates that Google Cloud obtains and manages for your domains. which can be attached to our GKE ingree for free! They support multiple hostnames in each certificate, and Google renews the certificates automatically. It is a convenient feature wherein the SSL certificates are provisioned and managed for your domain names using GKE ingress.
Prerequisites
- You must have an FQDN in Google Domains or another registrar ( Godaddy.com, Cloudflare.com, etc)
- Enable
HttpLoadBalancingadd-on in GKE cluster - Have to keep
IngressandManagedCertificatein the same namespace
- Create a global reserved external IP address.
after setting up gcloud in your console, run the commands to attach an IP to your GCP account. also, a name has to be passed to annotate the IP.
gcloud compute addresses create <IP_NAME> --globalgcloud compute addresses describe <IP_NAME> --global#output will be sililar to,
#address: 214.5.73.12
You need to configure this IP address in your domain’s DNS records.
2. Setting up a Google-managed certificate & ingress
Now, let's create a ManagedCertificate object in cluster. This resource specifies the domains for the SSL certificate. Wildcard domains are not supported.
kubectl create -f ingress.yamlYou can check certificate resource status using the below command
kubectl get managedcertificate -n project-dev
kubectl get ingress -n project-dev 
Ingress and certificate will take time to get provisioned. to finish setting up.
Note: The certificate would take some 45–60 minutes to get activated
I used a script to check the status of certificate, as it took random duration to get provisioned.
while sleep 1; do k -n project-dev describe managedcertificate.networking.gke.io/ingress-dev | grep Provisioning; date ; doneFinally, the ‘Certificate’ resource will be updated, Domain Status changes to Status: Active. Now, we can verify that SSL/TLS is working by visiting our domain.
